[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: StartTLS with a host alias

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: StartTLS with a host alias
From: Howard Chu <hyc@symas.com>
Date: Sat, 07 Jun 2008 13:02:32 -0700
Cc: robertminsk@yahoo.com, openldap-software@openldap.org
In-reply-to: <hbf.20080607pwxf@bombur.uio.no>
References: <516293.97051.qm@web32503.mail.mud.yahoo.com> <hbf.20080607pwxf@bombur.uio.no>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9pre) Gecko/2008043023 SeaMonkey/2.0a1pre

Hallvard B Furuseth wrote:

Robert Minsk writes:
My cert on my LDAP server contains multiple commonName entries.
openssl x509 -noout -in s014-ldap-cert.pem -subject
subject= /C=US/ST=California/O=FooBar/CN=s014.cgi.foobar.com/CN=ldap1.cgi.foobar.com/CN=s14.cgi.foobar.com
There is only supposed to be one CN in the certificate name.

Well, there can be any number of CNs in a DN. But only the most-inferior RDN actually names the certificate, therefore that's the only one that may be used in hostname checking.

Strange that he said the syncrepl config works, since the syncrepl consumer uses the same libldap functions as the ldapsearch command line to open a TLS session. Unless of course his slapd is not linked with the same version of the libraries as his command line tools.

However you can put multiple hostnames in the certificate's
Subject Alternative Name (aka Subject Alt Name) extension.


Right.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: StartTLS with a host alias
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- StartTLS with a host alias
  - From: Robert Minsk <robertminsk@yahoo.com>
- Re: StartTLS with a host alias
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: StartTLS with a host alias
Next by Date: Re: StartTLS with a host alias
Index(es):
- Chronological
- Thread